Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict the permissions of registered applications #104

Open
CrsiX opened this issue Apr 28, 2022 · 0 comments
Open

Restrict the permissions of registered applications #104

CrsiX opened this issue Apr 28, 2022 · 0 comments
Labels
feature request A feature we'd like to have

Comments

@CrsiX
Copy link
Member

CrsiX commented Apr 28, 2022

Currently, the API is designed in an all-or-nothing way. It would be really great if the scope of applications could be limited somehow. The current suggestion is to introduce three different "levels" of power for an application (besides the zero-power level without any authentication):

  • read allows an application to query the GET endpoints of the server, but any POST/PUT/DELETE call will be rejected with a 403 error
  • limited allows an application to perform all read (see above) and some write commands, e.g. creating a user alias or accepting a user alias confirmation request, but no commands where actual money could be transferred (e.g. by communisms, refunds or transactions); all such restricted queries will be rejected with a 403 error
  • all uses the old behavior and allows an application to use all endpoints
@CrsiX CrsiX added the feature request A feature we'd like to have label Apr 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request A feature we'd like to have
Projects
None yet
Milestone
No milestone
Development

When branches are created from issues, their pull requests are automatically linked.

restricted-apps hopfenspace/MateBot
1 participant
@CrsiX